CVE-2025-14844 is a critical authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Membership Plugin – Restrict Content for WordPress, developed by stellarwp. The vulnerability exists in all versions up to and including 3.2.16 within the function 'rcp_stripe_create_setup_intent_for_saved_card'. This function lacks proper capability checks and fails to validate a user-controlled key parameter, allowing unauthenticated attackers to invoke it remotely. As a result, attackers can retrieve Stripe SetupIntent client_secret values, which are sensitive tokens used to securely set up payment methods without exposing full payment credentials. The exposure of these tokens compromises the confidentiality of payment setup processes and could potentially lead to fraudulent payment method setups or unauthorized access to membership payment configurations. The vulnerability does not impact data integrity or availability directly but poses a significant risk due to the sensitive nature of the leaked information. The CVSS v3.1 score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) indicates a high-severity remote exploit with no required privileges or user interaction. Although no exploits are currently known in the wild, the widespread use of WordPress and this plugin in membership and subscription-based websites makes this vulnerability a critical concern. The lack of an official patch at the time of reporting necessitates immediate attention to mitigate potential exploitation.

The primary impact of CVE-2025-14844 is the unauthorized disclosure of Stripe SetupIntent client_secret tokens, which are critical for securely managing payment method setups in membership sites. This leakage can lead to unauthorized payment method configurations or fraudulent transactions, undermining customer trust and potentially causing financial losses. Organizations relying on the Membership Plugin – Restrict Content for subscription or membership management face risks of payment fraud and data breaches. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the likelihood of automated attacks targeting vulnerable sites. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach of payment tokens can have cascading effects, including regulatory non-compliance (e.g., PCI DSS violations), reputational damage, and increased operational costs due to incident response and remediation. The impact is especially critical for e-commerce, SaaS, and membership-based businesses that process payments via Stripe integration through this plugin.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the vulnerable endpoint by configuring web application firewalls (WAFs) or server-level access controls to block unauthenticated requests to 'rcp_stripe_create_setup_intent_for_saved_card'. 2) Monitor web server logs for unusual or repeated access attempts to the vulnerable function and Stripe-related API calls. 3) Disable or temporarily deactivate the Membership Plugin – Restrict Content if feasible, especially on sites with high payment transaction volumes. 4) Employ strict capability checks and input validation in custom plugin code or overrides to ensure user-controlled keys are validated and authenticated. 5) Coordinate with the plugin vendor (stellarwp) to obtain patches or updates as soon as they become available and apply them promptly. 6) Review Stripe account activity for suspicious SetupIntent creations or payment method setups and enable Stripe’s fraud detection features. 7) Educate site administrators on the risks and ensure timely updates of all WordPress plugins to minimize exposure to similar vulnerabilities.